Apart from installing and configuring the NIS software itself, a crucial preliminary step is to structure and prepare the NIS maps' source files. In what follows, I assume structure and contents as defined on the preceding link.
I'll be calling the following sample Solaris 11 NIS master host as nis-1.
Install the NIS service package in order to get the server components.
# ls -lh /var/yp
total 7
-r-xr-xr-x 1 root bin ... aliases
drwxr-xr-x 3 root bin ... binding
-rw-r--r-- 1 root bin ... nicknames
# pkg install service/network/nis
Packages to install: 1
Create boot environment: No
Create backup boot environment: No
Services to change: 1
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 47/47 0.2/0.2 0B/s
PHASE ITEMS
Installing new actions 80/80
Updating package state database Done
Updating image state Done
Creating fast lookup database Done
# ls -lh /var/yp
total 47
-r-xr-xr-x 1 root bin ... aliases
drwxr-xr-x 3 root bin ... binding
-r-xr-xr-x 1 root bin ... Makefile
-rw-r--r-- 1 root bin ... nicknames
-r-x------ 1 root bin ... updaters
Backup then change /var/yp/Makefile accordingly:
(a Revision Control System would be much better here)
# cp -p /var/yp/Makefile{,.backup}
Adjust the following variables and make target:
DIR=/var/nis
INETDIR=/var/nis
RBACDIR=/var/nis/rbac
PWDIR=/var/nis/acct
ALIASES=/var/nis/aliases
all: passwd ageing group netid \
project netgroup aliases publickey \
hosts ipnodes ethers networks netmasks \
rpc services protocols \
auto.master auto.home \
auth.attr exec.attr prof.attr user.attr
Define the (RPC) domain name which in Solaris 11 is persistently set with just the domainname command, for instance:
# domainname business.corp
Declare the NIS master on /etc/hosts.
Don't declare any NIS slave yet to avoid timeout issues.
NIS slaves should only be added when being actually configured.
If DNS isn't implemented, use:
IP HOST.RPC_DOMAIN [alias [alias ...]]If DNS is implemented, use:
IP FQDN [alias [alias ...]]For instance, when no DNS is implemented we can use:
# cat /etc/hosts
#
# Copyright 2009 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# Internet host table
#
::1 localhost
127.0.0.1 localhost loghost
#
192.168.0.10 nis-1.business.corp nis-1 # NIS master
Take advantage of the provided built-in security provided by securenets(4) by declaring the networks and/or hosts to be serviced:
# cat /var/yp/securenets
255.255.255.0 192.168.0.0
Then finally proceed to NIS master activation:
# ypinit -m
In order for NIS to operate successfully, we have to construct a list of the NIS servers. Please continue to add the names for YP servers in order of preference, one per line. When you are done with the list, type a
next host to add: nis-1
next host to add: <ENTER>
The current list of yp servers looks like this:
nis-1
Is this correct? [y/n: y] <ENTER>
Installing the YP database will require that you answer a few questions. Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] <ENTER>
OK, please remember to go back and redo manually whatever fails. If you don't, some part of the system (perhaps the yp itself) won't work.
The yp domain directory is /var/yp/business.corp
There will be no further questions.
The remainder of the procedure should take 5 to 10 minutes.
Building /var/yp/business.corp/ypservers...
Running /var/yp/Makefile...
updated passwd
updated ageing
updated group
updated netid
updated project
updated netgroup
/var/yp/business.corp/mail.aliases: 0 aliases, longest 0 bytes, 0 bytes total
/usr/lib/netsvc/yp/mkalias /var/yp/`domainname`/mail.aliases /var/yp/`domainname`/mail.byaddr;
updated aliases
updated publickey
updated hosts
updated ipnodes
updated ethers
updated networks
/usr/sbin/makedbm /var/nis/netmasks /var/yp/`domainname`/netmasks.byaddr;
updated netmasks
updated rpc
updated services
updated protocols
updated auto.master
updated auto.home
updated auth_attr
updated exec_attr
updated prof_attr
updated user_attr
nis-1 has been set up as a yp master server without any errors.
If there are running slave yp servers, run yppush now for any data bases which have been changed. If there are no running slaves, run ypinit on those hosts which are to be slave servers.
We are pretty much done, but let's do some quick verifications.
As an illustration, check the contents of ypservers.
This file is also important for correct map distribution through slaves.
Later, if more slaves are needed, this file has to be manually modified.
I shall review the relevant details later as well.
# cd /var/yp/business.corp
# makedbm -u ypservers
YP_LAST_MODIFIED 1381326049
YP_MASTER_NAME nis-1
nis-1
I recommend to restart the nis/domain SMF service in order to let it get updated accordingly with the list of the known NIS servers:
# svcadm restart nis/domain
# svccfg -s nis/domain listprop config/*
...
config/domainname hostname business.corp
config/ypservers host nis-1
config/securenets astring "255.255.255.0 192.168.0.0"
Interestingly, where a NIS server (ypserv process) is running, the binding seems automatic requiring no /etc/nsswitch.conf changes.
# ypwhich
nis-1
# pgrep -fl ypserv
2678 /usr/lib/netsvc/yp/ypserv
# svcs '*nis*'
STATE STIME FMRI
online 9:12:01 svc:/network/nis/domain:default
online 10:41:06 svc:/network/nis/update:default
online 10:41:06 svc:/network/nis/server:default
online 10:41:06 svc:/network/nis/passwd:default
online 10:41:06 svc:/network/nis/xfr:default
online 10:42:06 svc:/network/nis/client:default
# ypwhich -m | sort
ageing.byname nis-1
auth_attr nis-1
auto.home nis-1
auto.master nis-1
ethers.byaddr nis-1
ethers.byname nis-1
exec_attr nis-1
group.bygid nis-1
group.byname nis-1
hosts.byaddr nis-1
hosts.byname nis-1
ipnodes.byaddr nis-1
ipnodes.byname nis-1
mail.aliases nis-1
mail.byaddr nis-1
netgroup nis-1
netgroup.byhost nis-1
netgroup.byuser nis-1
netid.byname nis-1
netmasks.byaddr nis-1
networks.byaddr nis-1
networks.byname nis-1
passwd.byname nis-1
passwd.byuid nis-1
prof_attr nis-1
project.byname nis-1
project.byprojid nis-1
protocols.byname nis-1
protocols.bynumber nis-1
publickey.byname nis-1
rpc.bynumber nis-1
services.byname nis-1
services.byservicename nis-1
user_attr nis-1
ypservers nis-1
# ypwhich -x | sort
Use "aliases" for map "mail.aliases"
Use "ethers" for map "ethers.byname"
Use "group" for map "group.byname"
Use "hosts" for map "hosts.byname"
Use "ipnodes" for map "ipnodes.byname"
Use "networks" for map "networks.byaddr"
Use "passwd" for map "passwd.byname"
Use "project" for map "project.byname"
Use "protocols" for map "protocols.bynumber"
Use "services" for map "services.byname"
Even if many maps are empty, it's good to have them already in place so if the need arises, things get much easier, simply requiring updating maps contents and remaking the NIS databases. By the way, by now we have the following changes in /var/yp:
# ls -lhtr /var/yp
total 112
...
-rw-r--r-- 1 root root ... passwd.time
-rw-r--r-- 1 root root ... ageing.time
-rw-r--r-- 1 root root ... group.time
-rw-r--r-- 1 root root ... netid.time
-rw-r--r-- 1 root root ... project.time
-rw-r--r-- 1 root root ... netgroup.time
-rw-r--r-- 1 root root ... aliases.time
-rw-r--r-- 1 root root ... publickey.time
-rw-r--r-- 1 root root ... hosts.time
-rw-r--r-- 1 root root ... ipnodes.time
-rw-r--r-- 1 root root ... ethers.time
-rw-r--r-- 1 root root ... networks.time
-rw-r--r-- 1 root root ... netmasks.time
-rw-r--r-- 1 root root ... rpc.time
-rw-r--r-- 1 root root ... services.time
-rw-r--r-- 1 root root ... protocols.time
-rw-r--r-- 1 root root ... auto.master.time
-rw-r--r-- 1 root root ... auto.home.time
-rw-r--r-- 1 root root ... auth.attr.time
-rw-r--r-- 1 root root ... exec.attr.time
-rw-r--r-- 1 root root ... prof.attr.time
drwxr-xr-x 2 root root ... business.corp
-rw-r--r-- 1 root root ... user.attr.time
You should have noted that ypbind is also running on the NIS master, so why not make use of it? Adjust the name service switch SMF service accordingly.
I also recommend implementing pam_list.
This will provide a finer access control to NIS servers and clients.
